About the SO PIN

The Security Officer PIN (SO PIN) is a string of at least four characters that the cluster administrator must supply to perform certain operations that modify the PKCS#11 file or KMIP store.

How the SO PIN Is Used

In a KMIP environment, the cluster admin must enter the SO PIN to change certain system settings, which can include:
  • Rekeying the common or core KEK keys.
  • Setting a new client certificate to replace an expired certificate.
  • Configuring KMIP IP addresses.
In the file-store environment:
  • The SO PIN prevents unauthorized configuration changes to the PKCS#11 store.
  • The cluster admin does not need to use the SO PIN directly, but it is a best practice to change it to something other than the default value.
  • You must provide the SO PIN only during an mrhsm rekey operation. mrhsm rekey creates a new Core KEK, which is used to encrypt the CLDB key and DARE key.
  • The SO PIN becomes more useful if the cluster is later reconfigured to use an external KMIP keystore.

Specifying the SO PIN

The SO PIN is configured during the initial invocation of configure.sh after you specify the -hsmsopin <so-pin> parameter. See configure.sh. The PIN you specify can be 4-255 characters. All characters are allowed, including combinations of alphabetic, numeric, and special characters.

Default SO PIN

For a new installation of a release 7.0.0 or later Data Fabric cluster, the default SO PIN is 1234 unless you specify the SO PIN after you use configure.sh.

Changing the SO PIN

To change the SO PIN, use the mrhsm sopin command. The command requires you to specify the old (current) and new SO PIN values. For example:
# mrhsm sopin
Current SO PIN: ****
Enter new SO PIN (4-255 characters): ****
Please reenter new SO PIN: ****
New SO PIN is set successfully

If You Lose the SO PIN

Losing or forgetting the SO PIN does not affect normal cluster operations but prevents certain KMIP configuration changes. See FAQ #2 in Frequently Asked Questions.

Upgrading and the SO PIN

By default, the Data Fabric software initializes mrhsm using the same default hsm label and SO PIN as done during a new release 7.0.0 installation (if mrhsm has not already been initialized). You can change default values by specifying -hsmlabel <label> and -hsmsopin <so-pin> options in configure.sh. See Upgrade Notes (Release 7.9).